Grum Botnet Shutdown Sharply Cuts Spam Levels, but for How Long?

One of the world's largest spamming botnets
has been knocked out of commissionthough it is unclear just how long the
respite users may be seeing from spam will last.

Grum, which may have been responsible for roughly
20 percent of the world's spam, has been taken offline. Dutch authorities got
the ball rolling July 16 when they took down two of the command-and-control
(C&C) servers to IP addresses 94.102.51.226 and 94.102.51.227, which
researchers at IT security company FireEye had linked to the notorious botnet.

This was only a partial victory, however, as
master C&C servers in Panama and Russia were still operating. Then the
server in Panama was shut down the following day. However, some bad news
arrived as several new servers had emerged in the Ukraine to take the place of
the servers that had been taken offline. That move only bought the botnet's
operators a day, however, as the servers in the Ukraine and the one in Russia were
taken down July 18.

"Eighteen percent of worldwide spam from
Grum [is now] completely offline," said Atif
Mushtaq, senior staff scientist at FireEye. "We've seen the number of
infected machines sending emails drop from 120,000 to 20,000 to zero. In
addition, reports from SpamHaus and Trustwave indicate that the Lethic botnet
has gone underground. Overall, we're seeing a global reduction in spam of about
50 percentthe lowest levels ever."

Grum's name can be added to a list of botnets
that have been taken down due to the efforts of the research community. In the
past three years, Microsoft for example had spearheaded an effort to take
botnet operators to court, and has helped successfully target the operators of
Kelihos, Rustock Waledac and a Zeus botnet.

This illustrates again that the private
sector is increasingly getting involved in cyber-defense issues, commented
Kapil Raina, director of product marketing at security firm
Zscaler. Traditionally, government entities monitored and pursued these
entities, but now we are starting to see a dramatic shift in the private sector
community directly getting involved to protect end users. In the short
term, this will be very beneficial for consumers, but longer-term implications
of legal policy and enforcement have yet to be sorted out.

In the case of Grum, the success of the
takedown shows that spammers do not have the safe havens they once had, Mushtaq
opined. He admitted he was briefly stunned when the bot herders replaced the
two Dutch servers with the six in the Ukraine, a place that traditionally has
been a safe spot for bot herders and where getting servers shut down has never
been easy.

"I immediately shared this new
information with three different partiesCarel van Straten and Thomas Morrison
from Spamhaus,
Alex Kuzmin from CERT-GIB, and an anonymous researcher who goes by the
pseudonym Nova7," Mushtaq noted in a blog post. "After they got all
the evidence from my side, they moved quickly passing this intelligence back to
their contacts in Ukraine and Russia. As a result of this overnight operation,
all six new servers in Ukraine and the original Russian server were dead as of
today, July 18, at 11:00 AM PST."

The primary server located in Russia was not
taken down by their ISP, but by an upstream provider who came in and null-routed
the IP address at FireEye's request, the researcher added.

"The takedown of the Grum botnet
should last; we reverse-engineered Grum and determined there are no adaptive
mechanisms for the infected machines to communicate with the new servers,"
Mushtaq told eWEEK.

Historical trends however show that spam
levels will not stay down forever, usually kicking back up about four to six
weeks after a takedown, said Adam Wosotowsky, messaging data architect at
McAfee Labs.

"That being said, lately botnet
shutdowns have tended to push botmasters away from spam and more towards
persistent infections and exfiltrating of intellectual property," he
said. "It's safer for the botnet and can probably produce more
money. This time around I would not expect for the recovery in spam to be
quite as fast as it has been in the past, for just that
reason."